PCI Compliance: 4 Tips For Retailers Who Run Mainframes
By Ray Overby, Key Resources
Chances are, as a retailer, you rely on the mainframe to power your business. As many as 23 of the world’s top 25 retailers use the mainframe to make sure they can provide their customers with the personalized service today’s consumer craves. z13 is capable of processing 2.5 billion transactions per day, which is the equivalent of roughly 100 Cyber Mondays.
Retail transactions — often involving credit cards — require secure processing. That’s one of the mainframe’s strong suits, and why 87% of the world’s credit card transactions are processed on the platform.
As important as the mainframe is to retail, the security and maintenance of those mainframes is often overlooked. That includes staying compliant with all manner of regulations designed to protect both your business and your customers.
Any retailer processing cardholder data has to make sure IT systems are compliant with the Payment Card Industry’s (PCI) Data Security Standards (DSS), for example. PCI DSS is designed to protect any cardholder data that is store, processed or transmitted on any platform, and it requires organizations to establish a process to identify security vulnerabilities and assign a risk ranking to any newly discovered vulnerabilities.
Compliance with these complex regulations is often easier said than done, and the retail industry is no exception to this challenge.
A recent survey shows that even though most retailers want their PCI compliance rate to be higher than 70%, many small merchants are struggling with PCI compliance and programs. Some don’t understand the need for compliance, some don’t know how to start a PCI program, and some don’t have the time, resources, or funds to dedicate. Worse still, there are merchants who don’t even know they need to engage with PCI DSS.
PCI DSS is a complicated regulation on any system. There are unique complexities involved when trying to stay compliant on mainframes. Let’s take a look at some specific PCI requirements and how they can be applied to z/OS systems.
1. “Develop and maintain secure systems and applications.”
Complying with PCI DSS means making sure that your systems are secure at every level. That includes checking for vulnerabilities, not just at the application level but at the operating system level as well. System integrity and secure coding standards are not new to z/OS. Retailers need to perform vulnerability scans as part of their standard Q/A process to make sure the integrity of the system is not compromised by integrity vulnerabilities.
2. “Do not use vendor-supplied defaults for system passwords and other security parameters.”
All mainframe system software comes with vendor-supplied defaults for z/OS, ESM products, databases, job schedulers, OLTPs, etc. Resist the temptation to assume that those vendor-supplied defaults are good enough for your business. Automated configuration reviews can be performed to validate that defaults have been removed.
3. “Protect all systems against malware and regularly update antivirus software or programs.”
It is a known fact that system utilities, exits and privileged programs, if coded improperly, can be exploited and bypass ESM and z/OS controls. Mainframe vulnerability scans will help businesses locate those potential vulnerabilities, so you can be better protected against malware.
4. “Restrict access to cardholder data by business need-to-know.”
The principle of least privilege has been an important mainframe term since the 1970s. The fewer people who have access to sensitive data, the less risk involved. Automated configuration reviews can be performed to ensure that access controls are following the company’s security policy.
The mainframe is the most “securable” of any of the PCI platforms available today, but any number of things, like improperly managed operating system controls or software coding vulnerabilities can leave a company susceptible to attack. Remember, attackers only need to be right once to spell disaster for both you and your customers.
Ray Overby is a Co-Founder and President of Key Resources, Inc., (KRI), a software and security services firm specializing in mainframe security. A recognized world authority in mainframe security, risk and compliance for IBM z System environments, Overby heads the KRI technical team. Drawing on his more than 30+ years’ of experience in z Systems, in both hands-on technical development and strategic roles, Overby’s multidimensional and solutions-driven approach assures he is highly valued by clients and third party technology partners, and he is much in demand as a speaker.